1445 lines
47 KiB
C
1445 lines
47 KiB
C
/*++
|
||
|
||
Copyright (c) 2000-2001 Microsoft Corporation
|
||
|
||
Module Name:
|
||
|
||
walkamd64.c
|
||
|
||
Abstract:
|
||
|
||
This file implements the AMD64 stack walking api.
|
||
|
||
Author:
|
||
|
||
Environment:
|
||
|
||
User Mode
|
||
|
||
--*/
|
||
|
||
#define _IMAGEHLP_SOURCE_
|
||
#include <nt.h>
|
||
#include <ntrtl.h>
|
||
#include <nturtl.h>
|
||
#include "private.h"
|
||
#define NOEXTAPI
|
||
#include "wdbgexts.h"
|
||
#include "ntdbg.h"
|
||
#include "symbols.h"
|
||
#include <stdlib.h>
|
||
#include <globals.h>
|
||
|
||
#define WDB(Args) SdbOut Args
|
||
|
||
//
|
||
// Lookup table providing the number of slots used by each unwind code.
|
||
//
|
||
|
||
UCHAR RtlpUnwindOpSlotTableAmd64[] = {
|
||
1, // UWOP_PUSH_NONVOL
|
||
2, // UWOP_ALLOC_LARGE (or 3, special cased in lookup code)
|
||
1, // UWOP_ALLOC_SMALL
|
||
1, // UWOP_SET_FPREG
|
||
2, // UWOP_SAVE_NONVOL
|
||
3, // UWOP_SAVE_NONVOL_FAR
|
||
2, // UWOP_SAVE_XMM
|
||
3, // UWOP_SAVE_XMM_FAR
|
||
2, // UWOP_SAVE_XMM128
|
||
3, // UWOP_SAVE_XMM128_FAR
|
||
1 // UWOP_PUSH_MACHFRAME
|
||
};
|
||
|
||
BOOL
|
||
WalkAmd64Init(
|
||
HANDLE Process,
|
||
LPSTACKFRAME64 StackFrame,
|
||
PAMD64_CONTEXT Context,
|
||
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine,
|
||
PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine,
|
||
PGET_MODULE_BASE_ROUTINE64 GetModuleBase
|
||
);
|
||
|
||
BOOL
|
||
WalkAmd64Next(
|
||
HANDLE Process,
|
||
LPSTACKFRAME64 StackFrame,
|
||
PAMD64_CONTEXT Context,
|
||
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemoryRoutine,
|
||
PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccessRoutine,
|
||
PGET_MODULE_BASE_ROUTINE64 GetModuleBase
|
||
);
|
||
|
||
BOOL
|
||
UnwindStackFrameAmd64(
|
||
HANDLE Process,
|
||
PULONG64 ReturnAddress,
|
||
PULONG64 StackPointer,
|
||
PULONG64 FramePointer,
|
||
PAMD64_CONTEXT Context,
|
||
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory,
|
||
PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess,
|
||
PGET_MODULE_BASE_ROUTINE64 GetModuleBase
|
||
);
|
||
|
||
|
||
PAMD64_UNWIND_INFO
|
||
ReadUnwindInfoAmd64(ULONG64 ImageBase, ULONG Offset,
|
||
BOOL ReadCodes, HANDLE Process,
|
||
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory,
|
||
PVOID StaticBuffer, ULONG StaticBufferSize)
|
||
{
|
||
ULONG Done;
|
||
ULONG UnwindInfoSize;
|
||
PAMD64_UNWIND_INFO UnwindInfo;
|
||
PVOID SymInfo = NULL;
|
||
ULONG SymInfoSize;
|
||
ULONG64 MemOffset = ImageBase + Offset;
|
||
|
||
// Static buffer should at least be large enough to read the
|
||
// basic structure.
|
||
if (StaticBufferSize < sizeof(*UnwindInfo)) {
|
||
return NULL;
|
||
}
|
||
UnwindInfo = (PAMD64_UNWIND_INFO)StaticBuffer;
|
||
|
||
// First read just the basic structure since the information
|
||
// is needed to compute the complete size.
|
||
if (!ReadMemory(Process, MemOffset,
|
||
UnwindInfo, sizeof(*UnwindInfo), &Done) ||
|
||
Done != sizeof(*UnwindInfo)) {
|
||
WDB((1, "Unable to read unwind info at %I64X\n", MemOffset));
|
||
|
||
SymInfo = GetUnwindInfoFromSymbols(Process, ImageBase, Offset,
|
||
&SymInfoSize);
|
||
if (!SymInfo || SymInfoSize < sizeof(*UnwindInfo)) {
|
||
WDB((1, "Unable to get symbol unwind info at %I64X:%X\n",
|
||
ImageBase, Offset));
|
||
return NULL;
|
||
}
|
||
|
||
memcpy(UnwindInfo, SymInfo, sizeof(*UnwindInfo));
|
||
}
|
||
|
||
if (!ReadCodes) {
|
||
return UnwindInfo;
|
||
}
|
||
|
||
// Compute the size of all the data.
|
||
UnwindInfoSize = sizeof(*UnwindInfo) +
|
||
(UnwindInfo->CountOfCodes - 1) * sizeof(AMD64_UNWIND_CODE);
|
||
// An extra alignment code and pointer may be added on to handle
|
||
// the chained info case where the chain pointer is just
|
||
// beyond the end of the normal code array.
|
||
if ((UnwindInfo->Flags & AMD64_UNW_FLAG_CHAININFO) != 0) {
|
||
if ((UnwindInfo->CountOfCodes & 1) != 0) {
|
||
UnwindInfoSize += sizeof(AMD64_UNWIND_CODE);
|
||
}
|
||
UnwindInfoSize += sizeof(ULONG64);
|
||
}
|
||
|
||
if (UnwindInfoSize > 0xffff) {
|
||
// Too large to be valid data, assume it's garbage.
|
||
WDB((1, "Invalid unwind info at %I64X\n", MemOffset));
|
||
return NULL;
|
||
}
|
||
|
||
if (SymInfo && UnwindInfoSize > SymInfoSize) {
|
||
WDB((1, "Insufficient unwind info in symbols for %I64X:%X\n",
|
||
ImageBase, Offset));
|
||
return NULL;
|
||
}
|
||
|
||
if (UnwindInfoSize > StaticBufferSize) {
|
||
UnwindInfo = (PAMD64_UNWIND_INFO)MemAlloc(UnwindInfoSize);
|
||
if (UnwindInfo == NULL) {
|
||
WDB((1, "Unable to allocate memory for unwind info\n"));
|
||
return NULL;
|
||
}
|
||
}
|
||
|
||
// Now read all the data.
|
||
if (SymInfo) {
|
||
memcpy(UnwindInfo, SymInfo, UnwindInfoSize);
|
||
} else if (!ReadMemory(Process, MemOffset, UnwindInfo, UnwindInfoSize,
|
||
&Done) ||
|
||
Done != UnwindInfoSize) {
|
||
if ((PVOID)UnwindInfo != StaticBuffer) {
|
||
MemFree(UnwindInfo);
|
||
}
|
||
|
||
WDB((1, "Unable to read unwind info at %I64X\n", MemOffset));
|
||
return NULL;
|
||
}
|
||
|
||
return UnwindInfo;
|
||
}
|
||
|
||
//
|
||
// ****** temp - defin elsewhere ******
|
||
//
|
||
|
||
#define SIZE64_PREFIX 0x48
|
||
#define ADD_IMM8_OP 0x83
|
||
#define ADD_IMM32_OP 0x81
|
||
#define JMP_IMM8_OP 0xeb
|
||
#define JMP_IMM32_OP 0xe9
|
||
#define LEA_OP 0x8d
|
||
#define POP_OP 0x58
|
||
#define RET_OP 0xc3
|
||
|
||
BOOLEAN
|
||
RtlpUnwindPrologueAmd64 (
|
||
IN ULONG64 ImageBase,
|
||
IN ULONG64 ControlPc,
|
||
IN ULONG64 FrameBase,
|
||
IN _PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionEntry,
|
||
IN OUT PAMD64_CONTEXT ContextRecord,
|
||
IN HANDLE Process,
|
||
IN PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory
|
||
)
|
||
|
||
/*++
|
||
|
||
Routine Description:
|
||
|
||
This function processes unwind codes and reverses the state change
|
||
effects of a prologue. If the specified unwind information contains
|
||
chained unwind information, then that prologue is unwound recursively.
|
||
As the prologue is unwound state changes are recorded in the specified
|
||
context structure and optionally in the specified context pointers
|
||
structures.
|
||
|
||
Arguments:
|
||
|
||
ImageBase - Supplies the base address of the image that contains the
|
||
function being unwound.
|
||
|
||
ControlPc - Supplies the address where control left the specified
|
||
function.
|
||
|
||
FrameBase - Supplies the base of the stack frame subject function stack
|
||
frame.
|
||
|
||
FunctionEntry - Supplies the address of the function table entry for the
|
||
specified function.
|
||
|
||
ContextRecord - Supplies the address of a context record.
|
||
|
||
--*/
|
||
|
||
{
|
||
|
||
ULONG64 FloatingAddress;
|
||
PAMD64_M128 FloatingRegister;
|
||
ULONG FrameOffset;
|
||
ULONG Index;
|
||
ULONG64 IntegerAddress;
|
||
PULONG64 IntegerRegister;
|
||
BOOLEAN MachineFrame;
|
||
ULONG OpInfo;
|
||
ULONG PrologOffset;
|
||
PULONG64 RegisterAddress;
|
||
ULONG64 ReturnAddress;
|
||
ULONG64 StackAddress;
|
||
PAMD64_UNWIND_CODE UnwindCode;
|
||
ULONG64 UnwindInfoBuffer[32];
|
||
PAMD64_UNWIND_INFO UnwindInfo;
|
||
ULONG Done;
|
||
ULONG UnwindOp;
|
||
|
||
//
|
||
// Process the unwind codes.
|
||
//
|
||
|
||
FloatingRegister = &ContextRecord->Xmm0;
|
||
IntegerRegister = &ContextRecord->Rax;
|
||
Index = 0;
|
||
MachineFrame = FALSE;
|
||
PrologOffset = (ULONG)(ControlPc - (FunctionEntry->BeginAddress + ImageBase));
|
||
|
||
WDB((1, "Prol: RIP %I64X, 0x%X bytes in function at %I64X\n",
|
||
ControlPc, PrologOffset, FunctionEntry->BeginAddress + ImageBase));
|
||
WDB((1, "Prol: Read unwind info at %I64X\n",
|
||
FunctionEntry->UnwindInfoAddress + ImageBase));
|
||
|
||
UnwindInfo =
|
||
ReadUnwindInfoAmd64(ImageBase, FunctionEntry->UnwindInfoAddress,
|
||
TRUE, Process, ReadMemory, UnwindInfoBuffer,
|
||
sizeof(UnwindInfoBuffer));
|
||
if (UnwindInfo == NULL) {
|
||
WDB((1, "Prol: Unable to read unwind info\n"));
|
||
return FALSE;
|
||
}
|
||
|
||
WDB((1, " Unwind info has 0x%X codes\n", UnwindInfo->CountOfCodes));
|
||
|
||
while (Index < UnwindInfo->CountOfCodes) {
|
||
|
||
WDB((1, " %02X: Code %X offs %03X, RSP %I64X\n",
|
||
Index, UnwindInfo->UnwindCode[Index].UnwindOp,
|
||
UnwindInfo->UnwindCode[Index].CodeOffset,
|
||
ContextRecord->Rsp));
|
||
|
||
//
|
||
// If the prologue offset is greater than the next unwind code offset,
|
||
// then simulate the effect of the unwind code.
|
||
//
|
||
|
||
UnwindOp = UnwindInfo->UnwindCode[Index].UnwindOp;
|
||
OpInfo = UnwindInfo->UnwindCode[Index].OpInfo;
|
||
if (PrologOffset >= UnwindInfo->UnwindCode[Index].CodeOffset) {
|
||
switch (UnwindOp) {
|
||
|
||
//
|
||
// Push nonvolatile integer register.
|
||
//
|
||
// The operation information is the register number of the
|
||
// register than was pushed.
|
||
//
|
||
|
||
case AMD64_UWOP_PUSH_NONVOL:
|
||
IntegerAddress = ContextRecord->Rsp;
|
||
if (!ReadMemory(Process, IntegerAddress,
|
||
&IntegerRegister[OpInfo], sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
goto Fail;
|
||
}
|
||
|
||
ContextRecord->Rsp += 8;
|
||
break;
|
||
|
||
//
|
||
// Allocate a large sized area on the stack.
|
||
//
|
||
// The operation information determines if the size is
|
||
// 16- or 32-bits.
|
||
//
|
||
|
||
case AMD64_UWOP_ALLOC_LARGE:
|
||
Index += 1;
|
||
FrameOffset = UnwindInfo->UnwindCode[Index].FrameOffset;
|
||
if (OpInfo != 0) {
|
||
Index += 1;
|
||
FrameOffset += (UnwindInfo->UnwindCode[Index].FrameOffset << 16);
|
||
} else {
|
||
// The 16-bit form is scaled.
|
||
FrameOffset *= 8;
|
||
}
|
||
|
||
ContextRecord->Rsp += FrameOffset;
|
||
break;
|
||
|
||
//
|
||
// Allocate a small sized area on the stack.
|
||
//
|
||
// The operation information is the size of the unscaled
|
||
// allocation size (8 is the scale factor) minus 8.
|
||
//
|
||
|
||
case AMD64_UWOP_ALLOC_SMALL:
|
||
ContextRecord->Rsp += (OpInfo * 8) + 8;
|
||
break;
|
||
|
||
//
|
||
// Establish the the frame pointer register.
|
||
//
|
||
// The operation information is not used.
|
||
//
|
||
|
||
case AMD64_UWOP_SET_FPREG:
|
||
ContextRecord->Rsp = IntegerRegister[UnwindInfo->FrameRegister];
|
||
ContextRecord->Rsp -= UnwindInfo->FrameOffset * 16;
|
||
break;
|
||
|
||
//
|
||
// Save nonvolatile integer register on the stack using a
|
||
// 16-bit displacment.
|
||
//
|
||
// The operation information is the register number.
|
||
//
|
||
|
||
case AMD64_UWOP_SAVE_NONVOL:
|
||
Index += 1;
|
||
FrameOffset = UnwindInfo->UnwindCode[Index].FrameOffset * 8;
|
||
IntegerAddress = FrameBase + FrameOffset;
|
||
if (!ReadMemory(Process, IntegerAddress,
|
||
&IntegerRegister[OpInfo], sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
goto Fail;
|
||
}
|
||
break;
|
||
|
||
//
|
||
// Save nonvolatile integer register on the stack using a
|
||
// 32-bit displacment.
|
||
//
|
||
// The operation information is the register number.
|
||
//
|
||
|
||
case AMD64_UWOP_SAVE_NONVOL_FAR:
|
||
Index += 2;
|
||
FrameOffset = UnwindInfo->UnwindCode[Index - 1].FrameOffset;
|
||
FrameOffset += (UnwindInfo->UnwindCode[Index].FrameOffset << 16);
|
||
IntegerAddress = FrameBase + FrameOffset;
|
||
if (!ReadMemory(Process, IntegerAddress,
|
||
&IntegerRegister[OpInfo], sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
goto Fail;
|
||
}
|
||
break;
|
||
|
||
//
|
||
// Save a nonvolatile XMM(64) register on the stack using a
|
||
// 16-bit displacement.
|
||
//
|
||
// The operation information is the register number.
|
||
//
|
||
|
||
case AMD64_UWOP_SAVE_XMM:
|
||
Index += 1;
|
||
FrameOffset = UnwindInfo->UnwindCode[Index].FrameOffset * 8;
|
||
FloatingAddress = FrameBase + FrameOffset;
|
||
FloatingRegister[OpInfo].High = 0;
|
||
if (!ReadMemory(Process, FloatingAddress,
|
||
&FloatingRegister[OpInfo].Low, sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
goto Fail;
|
||
}
|
||
break;
|
||
|
||
//
|
||
// Save a nonvolatile XMM(64) register on the stack using a
|
||
// 32-bit displacement.
|
||
//
|
||
// The operation information is the register number.
|
||
//
|
||
|
||
case AMD64_UWOP_SAVE_XMM_FAR:
|
||
Index += 2;
|
||
FrameOffset = UnwindInfo->UnwindCode[Index - 1].FrameOffset;
|
||
FrameOffset += (UnwindInfo->UnwindCode[Index].FrameOffset << 16);
|
||
FloatingAddress = FrameBase + FrameOffset;
|
||
FloatingRegister[OpInfo].High = 0;
|
||
if (!ReadMemory(Process, FloatingAddress,
|
||
&FloatingRegister[OpInfo].Low, sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
goto Fail;
|
||
}
|
||
break;
|
||
|
||
//
|
||
// Save a nonvolatile XMM(128) register on the stack using a
|
||
// 16-bit displacement.
|
||
//
|
||
// The operation information is the register number.
|
||
//
|
||
|
||
case AMD64_UWOP_SAVE_XMM128:
|
||
Index += 1;
|
||
FrameOffset = UnwindInfo->UnwindCode[Index].FrameOffset * 16;
|
||
FloatingAddress = FrameBase + FrameOffset;
|
||
if (!ReadMemory(Process, FloatingAddress,
|
||
&FloatingRegister[OpInfo], sizeof(AMD64_M128),
|
||
&Done) ||
|
||
Done != sizeof(AMD64_M128)) {
|
||
goto Fail;
|
||
}
|
||
break;
|
||
|
||
//
|
||
// Save a nonvolatile XMM(128) register on the stack using a
|
||
// 32-bit displacement.
|
||
//
|
||
// The operation information is the register number.
|
||
//
|
||
|
||
case AMD64_UWOP_SAVE_XMM128_FAR:
|
||
Index += 2;
|
||
FrameOffset = UnwindInfo->UnwindCode[Index - 1].FrameOffset;
|
||
FrameOffset += (UnwindInfo->UnwindCode[Index].FrameOffset << 16);
|
||
FloatingAddress = FrameBase + FrameOffset;
|
||
if (!ReadMemory(Process, FloatingAddress,
|
||
&FloatingRegister[OpInfo], sizeof(AMD64_M128),
|
||
&Done) ||
|
||
Done != sizeof(AMD64_M128)) {
|
||
goto Fail;
|
||
}
|
||
break;
|
||
|
||
//
|
||
// Push a machine frame on the stack.
|
||
//
|
||
// The operation information determines whether the machine
|
||
// frame contains an error code or not.
|
||
//
|
||
|
||
case AMD64_UWOP_PUSH_MACHFRAME:
|
||
MachineFrame = TRUE;
|
||
ReturnAddress = ContextRecord->Rsp;
|
||
StackAddress = ContextRecord->Rsp + (3 * 8);
|
||
if (OpInfo != 0) {
|
||
ReturnAddress += 8;
|
||
StackAddress += 8;
|
||
}
|
||
|
||
if (!ReadMemory(Process, ReturnAddress,
|
||
&ContextRecord->Rip, sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
goto Fail;
|
||
}
|
||
if (!ReadMemory(Process, StackAddress,
|
||
&ContextRecord->Rsp, sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
goto Fail;
|
||
}
|
||
break;
|
||
|
||
//
|
||
// Unused codes.
|
||
//
|
||
|
||
default:
|
||
break;
|
||
}
|
||
|
||
Index += 1;
|
||
|
||
} else {
|
||
|
||
//
|
||
// Skip this unwind operation by advancing the slot index by the
|
||
// number of slots consumed by this operation.
|
||
//
|
||
|
||
Index += RtlpUnwindOpSlotTableAmd64[UnwindOp];
|
||
|
||
//
|
||
// Special case any unwind operations that can consume a variable
|
||
// number of slots.
|
||
//
|
||
|
||
switch (UnwindOp) {
|
||
|
||
//
|
||
// A non-zero operation information indicates that an
|
||
// additional slot is consumed.
|
||
//
|
||
|
||
case AMD64_UWOP_ALLOC_LARGE:
|
||
if (OpInfo != 0) {
|
||
Index += 1;
|
||
}
|
||
|
||
break;
|
||
|
||
//
|
||
// No other special cases.
|
||
//
|
||
|
||
default:
|
||
break;
|
||
}
|
||
}
|
||
}
|
||
|
||
//
|
||
// If chained unwind information is specified, then recursively unwind
|
||
// the chained information. Otherwise, determine the return address if
|
||
// a machine frame was not encountered during the scan of the unwind
|
||
// codes.
|
||
//
|
||
|
||
if ((UnwindInfo->Flags & AMD64_UNW_FLAG_CHAININFO) != 0) {
|
||
Index = UnwindInfo->CountOfCodes;
|
||
if ((Index & 1) != 0) {
|
||
Index += 1;
|
||
}
|
||
|
||
ULONG64 ChainEntryAddr =
|
||
*(PULONG64)(&UnwindInfo->UnwindCode[Index]) + ImageBase;
|
||
|
||
if (UnwindInfo != (PAMD64_UNWIND_INFO)UnwindInfoBuffer) {
|
||
MemFree(UnwindInfo);
|
||
}
|
||
|
||
_IMAGE_RUNTIME_FUNCTION_ENTRY ChainEntry;
|
||
|
||
WDB((1, " Chain to entry at %I64X\n", ChainEntryAddr));
|
||
|
||
if (!ReadMemory(Process, ChainEntryAddr,
|
||
&ChainEntry, sizeof(ChainEntry), &Done) ||
|
||
Done != sizeof(ChainEntry)) {
|
||
WDB((1, " Unable to read entry\n"));
|
||
return FALSE;
|
||
}
|
||
|
||
return RtlpUnwindPrologueAmd64(ImageBase,
|
||
ControlPc,
|
||
FrameBase,
|
||
&ChainEntry,
|
||
ContextRecord,
|
||
Process,
|
||
ReadMemory);
|
||
|
||
} else {
|
||
if (UnwindInfo != (PAMD64_UNWIND_INFO)UnwindInfoBuffer) {
|
||
MemFree(UnwindInfo);
|
||
}
|
||
|
||
if (MachineFrame == FALSE) {
|
||
if (!ReadMemory(Process, ContextRecord->Rsp,
|
||
&ContextRecord->Rip, sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
return FALSE;
|
||
}
|
||
ContextRecord->Rsp += 8;
|
||
}
|
||
|
||
WDB((1, "Prol: Returning with RIP %I64X, RSP %I64X\n",
|
||
ContextRecord->Rip, ContextRecord->Rsp));
|
||
return TRUE;
|
||
}
|
||
|
||
Fail:
|
||
if (UnwindInfo != (PAMD64_UNWIND_INFO)UnwindInfoBuffer) {
|
||
MemFree(UnwindInfo);
|
||
}
|
||
WDB((1, "Prol: Unwind failed\n"));
|
||
return FALSE;
|
||
}
|
||
|
||
BOOLEAN
|
||
RtlVirtualUnwindAmd64 (
|
||
IN ULONG64 ImageBase,
|
||
IN ULONG64 ControlPc,
|
||
IN _PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionEntry,
|
||
IN OUT PAMD64_CONTEXT ContextRecord,
|
||
OUT PULONG64 EstablisherFrame,
|
||
IN HANDLE Process,
|
||
IN PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory
|
||
)
|
||
|
||
/*++
|
||
|
||
Routine Description:
|
||
|
||
This function virtually unwinds the specified function by executing its
|
||
prologue code backward or its epilogue code forward.
|
||
|
||
If a context pointers record is specified, then the address where each
|
||
nonvolatile registers is restored from is recorded in the appropriate
|
||
element of the context pointers record.
|
||
|
||
Arguments:
|
||
|
||
ImageBase - Supplies the base address of the image that contains the
|
||
function being unwound.
|
||
|
||
ControlPc - Supplies the address where control left the specified
|
||
function.
|
||
|
||
FunctionEntry - Supplies the address of the function table entry for the
|
||
specified function.
|
||
|
||
ContextRecord - Supplies the address of a context record.
|
||
|
||
EstablisherFrame - Supplies a pointer to a variable that receives the
|
||
the establisher frame pointer value.
|
||
|
||
--*/
|
||
|
||
{
|
||
|
||
ULONG64 BranchTarget;
|
||
LONG Displacement;
|
||
ULONG FrameRegister;
|
||
ULONG Index;
|
||
LOGICAL InEpilogue;
|
||
PULONG64 IntegerRegister;
|
||
PUCHAR NextByte;
|
||
ULONG PrologOffset;
|
||
ULONG RegisterNumber;
|
||
PAMD64_UNWIND_INFO UnwindInfo;
|
||
ULONG64 UnwindInfoBuffer[8];
|
||
ULONG Done;
|
||
UCHAR InstrBuffer[32];
|
||
ULONG InstrBytes;
|
||
ULONG Bytes;
|
||
ULONG UnwindFrameReg;
|
||
|
||
//
|
||
// If the specified function does not use a frame pointer, then the
|
||
// establisher frame is the contents of the stack pointer. This may
|
||
// not actually be the real establisher frame if control left the
|
||
// function from within the prologue. In this case the establisher
|
||
// frame may be not required since control has not actually entered
|
||
// the function and prologue entries cannot refer to the establisher
|
||
// frame before it has been established, i.e., if it has not been
|
||
// established, then no save unwind codes should be encountered during
|
||
// the unwind operation.
|
||
//
|
||
// If the specified function uses a frame pointer and control left the
|
||
// function outside of the prologue or the unwind information contains
|
||
// a chained information structure, then the establisher frame is the
|
||
// contents of the frame pointer.
|
||
//
|
||
// If the specified function uses a frame pointer and control left the
|
||
// function from within the prologue, then the set frame pointer unwind
|
||
// code must be looked up in the unwind codes to detetermine if the
|
||
// contents of the stack pointer or the contents of the frame pointer
|
||
// should be used for the establisher frame. This may not atually be
|
||
// the real establisher frame. In this case the establisher frame may
|
||
// not be required since control has not actually entered the function
|
||
// and prologue entries cannot refer to the establisher frame before it
|
||
// has been established, i.e., if it has not been established, then no
|
||
// save unwind codes should be encountered during the unwind operation.
|
||
//
|
||
// N.B. The correctness of these assumptions is based on the ordering of
|
||
// unwind codes.
|
||
//
|
||
|
||
UnwindInfo =
|
||
ReadUnwindInfoAmd64(ImageBase, FunctionEntry->UnwindInfoAddress,
|
||
FALSE, Process, ReadMemory, UnwindInfoBuffer,
|
||
sizeof(UnwindInfoBuffer));
|
||
if (UnwindInfo == NULL) {
|
||
return FALSE;
|
||
}
|
||
|
||
PrologOffset = (ULONG)(ControlPc - (FunctionEntry->BeginAddress + ImageBase));
|
||
UnwindFrameReg = UnwindInfo->FrameRegister;
|
||
if (UnwindFrameReg == 0) {
|
||
*EstablisherFrame = ContextRecord->Rsp;
|
||
|
||
} else if ((PrologOffset >= UnwindInfo->SizeOfProlog) ||
|
||
((UnwindInfo->Flags & AMD64_UNW_FLAG_CHAININFO) != 0)) {
|
||
*EstablisherFrame = (&ContextRecord->Rax)[UnwindFrameReg];
|
||
*EstablisherFrame -= UnwindInfo->FrameOffset * 16;
|
||
|
||
} else {
|
||
|
||
// Read all the data.
|
||
UnwindInfo = ReadUnwindInfoAmd64(ImageBase,
|
||
FunctionEntry->UnwindInfoAddress,
|
||
TRUE, Process, ReadMemory,
|
||
UnwindInfoBuffer,
|
||
sizeof(UnwindInfoBuffer));
|
||
if (UnwindInfo == NULL) {
|
||
return FALSE;
|
||
}
|
||
|
||
Index = 0;
|
||
while (Index < UnwindInfo->CountOfCodes) {
|
||
if (UnwindInfo->UnwindCode[Index].UnwindOp == AMD64_UWOP_SET_FPREG) {
|
||
break;
|
||
}
|
||
|
||
Index += 1;
|
||
}
|
||
|
||
if (PrologOffset >= UnwindInfo->UnwindCode[Index].CodeOffset) {
|
||
*EstablisherFrame = (&ContextRecord->Rax)[UnwindFrameReg];
|
||
*EstablisherFrame -= UnwindInfo->FrameOffset * 16;
|
||
|
||
} else {
|
||
*EstablisherFrame = ContextRecord->Rsp;
|
||
}
|
||
|
||
if (UnwindInfo != (PAMD64_UNWIND_INFO)UnwindInfoBuffer) {
|
||
MemFree(UnwindInfo);
|
||
}
|
||
}
|
||
|
||
if (!ReadMemory(Process, ControlPc, InstrBuffer, sizeof(InstrBuffer),
|
||
&InstrBytes)) {
|
||
WDB((1, "Unable to read instruction stream at %I64X\n", ControlPc));
|
||
return FALSE;
|
||
}
|
||
|
||
//
|
||
// Check for epilogue.
|
||
//
|
||
// If the point at which control left the specified function is in an
|
||
// epilogue, then emulate the execution of the epilogue forward and
|
||
// return no exception handler.
|
||
//
|
||
|
||
IntegerRegister = &ContextRecord->Rax;
|
||
NextByte = InstrBuffer;
|
||
Bytes = InstrBytes;
|
||
|
||
//
|
||
// Check for one of:
|
||
//
|
||
// add rsp, imm8
|
||
// or
|
||
// add rsp, imm32
|
||
// or
|
||
// lea rsp, -disp8[fp]
|
||
// or
|
||
// lea rsp, -disp32[fp]
|
||
//
|
||
|
||
if (Bytes >= 4 &&
|
||
(NextByte[0] == SIZE64_PREFIX) &&
|
||
(NextByte[1] == ADD_IMM8_OP) &&
|
||
(NextByte[2] == 0xc4)) {
|
||
|
||
//
|
||
// add rsp, imm8.
|
||
//
|
||
|
||
NextByte += 4;
|
||
Bytes -= 4;
|
||
|
||
} else if (Bytes >= 7 &&
|
||
(NextByte[0] == SIZE64_PREFIX) &&
|
||
(NextByte[1] == ADD_IMM32_OP) &&
|
||
(NextByte[2] == 0xc4)) {
|
||
|
||
//
|
||
// add rsp, imm32.
|
||
//
|
||
|
||
NextByte += 7;
|
||
Bytes -= 7;
|
||
|
||
} else if (Bytes >= 4 &&
|
||
((NextByte[0] & 0xf8) == SIZE64_PREFIX) &&
|
||
(NextByte[1] == LEA_OP)) {
|
||
|
||
FrameRegister = ((NextByte[0] & 0x7) << 3) | (NextByte[2] & 0x7);
|
||
if ((FrameRegister != 0) &&
|
||
(FrameRegister == UnwindFrameReg)) {
|
||
if ((NextByte[2] & 0xf8) == 0x60) {
|
||
|
||
//
|
||
// lea rsp, disp8[fp].
|
||
//
|
||
|
||
NextByte += 4;
|
||
Bytes -= 4;
|
||
|
||
} else if (Bytes >= 7 &&
|
||
(NextByte[2] &0xf8) == 0xa0) {
|
||
|
||
//
|
||
// lea rsp, disp32[fp].
|
||
//
|
||
|
||
NextByte += 7;
|
||
Bytes -= 7;
|
||
}
|
||
}
|
||
}
|
||
|
||
//
|
||
// Check for any number of:
|
||
//
|
||
// pop nonvolatile-integer-register[0..15].
|
||
//
|
||
|
||
while (TRUE) {
|
||
if (Bytes >= 1 &&
|
||
(NextByte[0] & 0xf8) == POP_OP) {
|
||
NextByte += 1;
|
||
Bytes -= 1;
|
||
|
||
} else if (Bytes >= 2 &&
|
||
((NextByte[0] & 0xf8) == SIZE64_PREFIX) &&
|
||
((NextByte[1] & 0xf8) == POP_OP)) {
|
||
|
||
NextByte += 2;
|
||
Bytes -= 2;
|
||
|
||
} else {
|
||
break;
|
||
}
|
||
}
|
||
|
||
//
|
||
// If the next instruction is a return, then control is currently in
|
||
// an epilogue and execution of the epilogue should be emulated.
|
||
// Otherwise, execution is not in an epilogue and the prologue should
|
||
// be unwound.
|
||
//
|
||
|
||
InEpilogue = FALSE;
|
||
if (Bytes >= 1 &&
|
||
NextByte[0] == RET_OP) {
|
||
|
||
//
|
||
// A return is an unambiguous indication of an epilogue
|
||
//
|
||
|
||
InEpilogue = TRUE;
|
||
|
||
} else if ((Bytes >= 2 && NextByte[0] == JMP_IMM8_OP) ||
|
||
(Bytes >= 5 && NextByte[0] == JMP_IMM32_OP)) {
|
||
|
||
//
|
||
// An unconditional branch to a target that is equal to the start of
|
||
// or outside of this routine is logically a call to another function.
|
||
//
|
||
|
||
BranchTarget = (ULONG64)(NextByte - InstrBuffer) + ControlPc - ImageBase;
|
||
if (NextByte[0] == JMP_IMM8_OP) {
|
||
BranchTarget += 2 + (CHAR)NextByte[1];
|
||
} else {
|
||
BranchTarget += 5 + *((LONG UNALIGNED *)&NextByte[1]);
|
||
}
|
||
|
||
//
|
||
// Now determine whether the branch target refers to code within this
|
||
// function. If not then it is an epilogue indicator.
|
||
//
|
||
|
||
if (BranchTarget <= FunctionEntry->BeginAddress ||
|
||
BranchTarget > FunctionEntry->EndAddress) {
|
||
|
||
InEpilogue = TRUE;
|
||
}
|
||
}
|
||
|
||
if (InEpilogue != FALSE) {
|
||
NextByte = InstrBuffer;
|
||
Bytes = InstrBytes;
|
||
|
||
//
|
||
// Emulate one of (if any):
|
||
//
|
||
// add rsp, imm8
|
||
// or
|
||
// add rsp, imm32
|
||
// or
|
||
// lea rsp, disp8[frame-register]
|
||
// or
|
||
// lea rsp, disp32[frame-register]
|
||
//
|
||
|
||
if (Bytes >= 4 &&
|
||
NextByte[1] == ADD_IMM8_OP) {
|
||
|
||
//
|
||
// add rsp, imm8.
|
||
//
|
||
|
||
ContextRecord->Rsp += (CHAR)NextByte[3];
|
||
NextByte += 4;
|
||
Bytes -= 4;
|
||
|
||
} else if (Bytes >= 7 &&
|
||
NextByte[1] == ADD_IMM32_OP) {
|
||
|
||
//
|
||
// add rsp, imm32.
|
||
//
|
||
|
||
Displacement = NextByte[3] | (NextByte[4] << 8);
|
||
Displacement |= (NextByte[5] << 16) | (NextByte[6] << 24);
|
||
ContextRecord->Rsp += Displacement;
|
||
NextByte += 7;
|
||
Bytes -= 7;
|
||
|
||
} else if (Bytes >= 4 &&
|
||
NextByte[1] == LEA_OP) {
|
||
if ((NextByte[2] & 0xf8) == 0x60) {
|
||
|
||
//
|
||
// lea rsp, disp8[frame-register].
|
||
//
|
||
|
||
ContextRecord->Rsp = IntegerRegister[FrameRegister];
|
||
ContextRecord->Rsp += (CHAR)NextByte[3];
|
||
NextByte += 4;
|
||
Bytes -= 4;
|
||
|
||
} else if (Bytes >= 7 &&
|
||
(NextByte[2] & 0xf8) == 0xa0) {
|
||
|
||
//
|
||
// lea rsp, disp32[frame-register].
|
||
//
|
||
|
||
Displacement = NextByte[3] | (NextByte[4] << 8);
|
||
Displacement |= (NextByte[5] << 16) | (NextByte[6] << 24);
|
||
ContextRecord->Rsp = IntegerRegister[FrameRegister];
|
||
ContextRecord->Rsp += Displacement;
|
||
NextByte += 7;
|
||
Bytes -= 7;
|
||
}
|
||
}
|
||
|
||
//
|
||
// Emulate any number of (if any):
|
||
//
|
||
// pop nonvolatile-integer-register.
|
||
//
|
||
|
||
while (TRUE) {
|
||
if (Bytes >= 1 &&
|
||
(NextByte[0] & 0xf8) == POP_OP) {
|
||
|
||
//
|
||
// pop nonvolatile-integer-register[0..7]
|
||
//
|
||
|
||
RegisterNumber = NextByte[0] & 0x7;
|
||
if (!ReadMemory(Process, ContextRecord->Rsp,
|
||
&IntegerRegister[RegisterNumber],
|
||
sizeof(ULONG64), &Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
WDB((1, "Unable to read stack at %I64X\n",
|
||
ContextRecord->Rsp));
|
||
return FALSE;
|
||
}
|
||
ContextRecord->Rsp += 8;
|
||
NextByte += 1;
|
||
Bytes -= 1;
|
||
|
||
} else if (Bytes >= 2 &&
|
||
(NextByte[0] & 0xf8) == SIZE64_PREFIX &&
|
||
(NextByte[1] & 0xf8) == POP_OP) {
|
||
|
||
//
|
||
// pop nonvolatile-integer-register[8..15]
|
||
//
|
||
|
||
RegisterNumber = ((NextByte[0] & 1) << 3) | (NextByte[1] & 0x7);
|
||
if (!ReadMemory(Process, ContextRecord->Rsp,
|
||
&IntegerRegister[RegisterNumber],
|
||
sizeof(ULONG64), &Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
WDB((1, "Unable to read stack at %I64X\n",
|
||
ContextRecord->Rsp));
|
||
return FALSE;
|
||
}
|
||
ContextRecord->Rsp += 8;
|
||
NextByte += 2;
|
||
Bytes -= 2;
|
||
|
||
} else {
|
||
break;
|
||
}
|
||
}
|
||
|
||
//
|
||
// Emulate return and return null exception handler.
|
||
//
|
||
// Note: this instruction might in fact be a jmp, however
|
||
// we want to emulate a return regardless.
|
||
//
|
||
|
||
if (!ReadMemory(Process, ContextRecord->Rsp,
|
||
&ContextRecord->Rip, sizeof(ULONG64),
|
||
&Done) ||
|
||
Done != sizeof(ULONG64)) {
|
||
WDB((1, "Unable to read stack at %I64X\n",
|
||
ContextRecord->Rsp));
|
||
return FALSE;
|
||
}
|
||
ContextRecord->Rsp += 8;
|
||
return TRUE;
|
||
}
|
||
|
||
//
|
||
// Control left the specified function outside an epilogue. Unwind the
|
||
// subject function and any chained unwind information.
|
||
//
|
||
|
||
return RtlpUnwindPrologueAmd64(ImageBase,
|
||
ControlPc,
|
||
*EstablisherFrame,
|
||
FunctionEntry,
|
||
ContextRecord,
|
||
Process,
|
||
ReadMemory);
|
||
}
|
||
|
||
|
||
|
||
BOOL
|
||
WalkAmd64(
|
||
HANDLE Process,
|
||
LPSTACKFRAME64 StackFrame,
|
||
PVOID ContextRecord,
|
||
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory,
|
||
PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess,
|
||
PGET_MODULE_BASE_ROUTINE64 GetModuleBase
|
||
)
|
||
{
|
||
BOOL rval;
|
||
PAMD64_CONTEXT Context = (PAMD64_CONTEXT)ContextRecord;
|
||
|
||
WDB((2, "WalkAmd64 in: PC %I64X, SP %I64X, FP %I64X, RA %I64X\n",
|
||
StackFrame->AddrPC.Offset,
|
||
StackFrame->AddrStack.Offset,
|
||
StackFrame->AddrFrame.Offset,
|
||
StackFrame->AddrReturn.Offset));
|
||
|
||
if (StackFrame->Virtual) {
|
||
|
||
rval = WalkAmd64Next( Process,
|
||
StackFrame,
|
||
Context,
|
||
ReadMemory,
|
||
FunctionTableAccess,
|
||
GetModuleBase
|
||
);
|
||
|
||
} else {
|
||
|
||
rval = WalkAmd64Init( Process,
|
||
StackFrame,
|
||
Context,
|
||
ReadMemory,
|
||
FunctionTableAccess,
|
||
GetModuleBase
|
||
);
|
||
|
||
}
|
||
|
||
WDB((2, "WalkAmd64 out: succ %d, PC %I64X, SP %I64X, FP %I64X, RA %I64X\n",
|
||
rval,
|
||
StackFrame->AddrPC.Offset,
|
||
StackFrame->AddrStack.Offset,
|
||
StackFrame->AddrFrame.Offset,
|
||
StackFrame->AddrReturn.Offset));
|
||
|
||
return rval;
|
||
}
|
||
|
||
BOOL
|
||
UnwindStackFrameAmd64(
|
||
IN HANDLE Process,
|
||
IN OUT PULONG64 ReturnAddress,
|
||
IN OUT PULONG64 StackPointer,
|
||
IN OUT PULONG64 FramePointer,
|
||
IN PAMD64_CONTEXT Context, // Context members could be modified.
|
||
IN PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory,
|
||
IN PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess,
|
||
IN PGET_MODULE_BASE_ROUTINE64 GetModuleBase
|
||
)
|
||
{
|
||
_PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionEntry;
|
||
ULONG64 RetAddr;
|
||
BOOL Succ = TRUE;
|
||
|
||
FunctionEntry = (_PIMAGE_RUNTIME_FUNCTION_ENTRY)
|
||
FunctionTableAccess( Process, *ReturnAddress );
|
||
if (FunctionEntry != NULL) {
|
||
|
||
ULONG64 ImageBase;
|
||
// Initialized to quiet a PREfix warning.
|
||
ULONG64 EstablisherFrame = 0;
|
||
|
||
//
|
||
// The return value coming out of mainCRTStartup is set by some
|
||
// run-time routine to be 0; this serves to cause an error if someone
|
||
// actually does a return from the mainCRTStartup frame.
|
||
//
|
||
|
||
ImageBase = GetModuleBase(Process, *ReturnAddress);
|
||
if (!RtlVirtualUnwindAmd64(ImageBase, *ReturnAddress, FunctionEntry,
|
||
Context, &EstablisherFrame,
|
||
Process, ReadMemory) ||
|
||
Context->Rip == 0 ||
|
||
(Context->Rip == *ReturnAddress &&
|
||
EstablisherFrame == *FramePointer)) {
|
||
Succ = FALSE;
|
||
}
|
||
|
||
*ReturnAddress = Context->Rip;
|
||
*StackPointer = Context->Rsp;
|
||
// The frame pointer is an artificial value set
|
||
// to a pointer below the return address. This
|
||
// matches an RBP-chain style of frame while
|
||
// also allowing easy access to the return
|
||
// address and homed arguments above it.
|
||
*FramePointer = Context->Rsp - 2 * sizeof(ULONG64);
|
||
|
||
} else {
|
||
|
||
ULONG Done;
|
||
|
||
// If there's no function entry for a function
|
||
// we assume that it's a leaf and that ESP points
|
||
// directly to the return address. There's no
|
||
// stored frame pointer so we actually need to
|
||
// set a virtual frame pointer deeper in the stack
|
||
// so that arguments can correctly be read at
|
||
// two ULONG64's up from it.
|
||
*FramePointer = Context->Rsp - 8;
|
||
*StackPointer = Context->Rsp + 8;
|
||
Succ = ReadMemory(Process, Context->Rsp,
|
||
ReturnAddress, sizeof(*ReturnAddress), &Done) &&
|
||
Done == sizeof(*ReturnAddress);
|
||
|
||
// Update the context values to what they should be in
|
||
// the caller.
|
||
if (Succ) {
|
||
Context->Rsp += 8;
|
||
Context->Rip = *ReturnAddress;
|
||
}
|
||
}
|
||
|
||
if (Succ) {
|
||
ULONG64 CallOffset;
|
||
_PIMAGE_RUNTIME_FUNCTION_ENTRY CallFunc;
|
||
|
||
//
|
||
// Calls of __declspec(noreturn) functions may not have any
|
||
// code after them to return to since the compiler knows
|
||
// that the function will not return. This can confuse
|
||
// stack traces because the return address will lie outside
|
||
// of the function's address range and FPO data will not
|
||
// be looked up correctly. Check and see if the return
|
||
// address falls outside of the calling function and, if so,
|
||
// adjust the return address back by one byte. It'd be
|
||
// better to adjust it back to the call itself so that
|
||
// the return address points to valid code but
|
||
// backing up in X86 assembly is more or less impossible.
|
||
//
|
||
|
||
CallOffset = *ReturnAddress - 1;
|
||
CallFunc = (_PIMAGE_RUNTIME_FUNCTION_ENTRY)
|
||
FunctionTableAccess(Process, CallOffset);
|
||
if (CallFunc != NULL) {
|
||
_IMAGE_RUNTIME_FUNCTION_ENTRY SaveCallFunc = *CallFunc;
|
||
_PIMAGE_RUNTIME_FUNCTION_ENTRY RetFunc =
|
||
(_PIMAGE_RUNTIME_FUNCTION_ENTRY)
|
||
FunctionTableAccess(Process, *ReturnAddress);
|
||
if (RetFunc == NULL ||
|
||
memcmp(&SaveCallFunc, RetFunc, sizeof(SaveCallFunc))) {
|
||
*ReturnAddress = CallOffset;
|
||
}
|
||
}
|
||
}
|
||
|
||
return Succ;
|
||
}
|
||
|
||
BOOL
|
||
ReadFrameArgsAmd64(
|
||
LPADDRESS64 FrameOffset,
|
||
HANDLE Process,
|
||
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory,
|
||
PULONG64 Args
|
||
)
|
||
{
|
||
ULONG Done;
|
||
|
||
if (!ReadMemory(Process, FrameOffset->Offset + 2 * sizeof(ULONG64),
|
||
Args, 4 * sizeof(ULONG64), &Done)) {
|
||
Done = 0;
|
||
}
|
||
|
||
ZeroMemory((PUCHAR)Args + Done, 4 * sizeof(ULONG64) - Done);
|
||
|
||
return Done > 0;
|
||
}
|
||
|
||
BOOL
|
||
WalkAmd64Init(
|
||
HANDLE Process,
|
||
LPSTACKFRAME64 StackFrame,
|
||
PAMD64_CONTEXT Context,
|
||
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory,
|
||
PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess,
|
||
PGET_MODULE_BASE_ROUTINE64 GetModuleBase
|
||
)
|
||
{
|
||
AMD64_CONTEXT ContextSave;
|
||
DWORD64 PcOffset;
|
||
DWORD64 StackOffset;
|
||
DWORD64 FrameOffset;
|
||
|
||
ZeroMemory( &StackFrame->AddrBStore, sizeof(StackFrame->AddrBStore) );
|
||
StackFrame->FuncTableEntry = NULL;
|
||
ZeroMemory( StackFrame->Params, sizeof(StackFrame->Params) );
|
||
StackFrame->Far = FALSE;
|
||
StackFrame->Virtual = TRUE;
|
||
ZeroMemory( StackFrame->Reserved, sizeof(StackFrame->Reserved) );
|
||
|
||
if (!StackFrame->AddrPC.Offset) {
|
||
StackFrame->AddrPC.Offset = Context->Rip;
|
||
StackFrame->AddrPC.Mode = AddrModeFlat;
|
||
}
|
||
|
||
if (!StackFrame->AddrStack.Offset) {
|
||
StackFrame->AddrStack.Offset = Context->Rsp;
|
||
StackFrame->AddrStack.Mode = AddrModeFlat;
|
||
}
|
||
|
||
if (!StackFrame->AddrFrame.Offset) {
|
||
StackFrame->AddrFrame.Offset = Context->Rbp;
|
||
StackFrame->AddrFrame.Mode = AddrModeFlat;
|
||
}
|
||
|
||
if ((StackFrame->AddrPC.Mode != AddrModeFlat) ||
|
||
(StackFrame->AddrStack.Mode != AddrModeFlat) ||
|
||
(StackFrame->AddrFrame.Mode != AddrModeFlat)) {
|
||
return FALSE;
|
||
}
|
||
|
||
PcOffset = StackFrame->AddrPC.Offset;
|
||
StackOffset = StackFrame->AddrStack.Offset;
|
||
FrameOffset = StackFrame->AddrFrame.Offset;
|
||
|
||
ContextSave = *Context;
|
||
ContextSave.Rip = PcOffset;
|
||
ContextSave.Rsp = StackOffset;
|
||
ContextSave.Rbp = FrameOffset;
|
||
|
||
if (!UnwindStackFrameAmd64( Process,
|
||
&PcOffset,
|
||
&StackOffset,
|
||
&FrameOffset,
|
||
&ContextSave,
|
||
ReadMemory,
|
||
FunctionTableAccess,
|
||
GetModuleBase)) {
|
||
return FALSE;
|
||
}
|
||
|
||
StackFrame->AddrReturn.Offset = PcOffset;
|
||
StackFrame->AddrReturn.Mode = AddrModeFlat;
|
||
|
||
StackFrame->AddrFrame.Offset = FrameOffset;
|
||
ReadFrameArgsAmd64(&StackFrame->AddrFrame, Process,
|
||
ReadMemory, StackFrame->Params);
|
||
|
||
return TRUE;
|
||
}
|
||
|
||
|
||
BOOL
|
||
WalkAmd64Next(
|
||
HANDLE Process,
|
||
LPSTACKFRAME64 StackFrame,
|
||
PAMD64_CONTEXT Context,
|
||
PREAD_PROCESS_MEMORY_ROUTINE64 ReadMemory,
|
||
PFUNCTION_TABLE_ACCESS_ROUTINE64 FunctionTableAccess,
|
||
PGET_MODULE_BASE_ROUTINE64 GetModuleBase
|
||
)
|
||
{
|
||
DWORD Done;
|
||
BOOL Succ = TRUE;
|
||
DWORD64 StackAddress;
|
||
_PIMAGE_RUNTIME_FUNCTION_ENTRY FunctionEntry;
|
||
|
||
if (!UnwindStackFrameAmd64( Process,
|
||
&StackFrame->AddrPC.Offset,
|
||
&StackFrame->AddrStack.Offset,
|
||
&StackFrame->AddrFrame.Offset,
|
||
Context,
|
||
ReadMemory,
|
||
FunctionTableAccess,
|
||
GetModuleBase)) {
|
||
Succ = FALSE;
|
||
|
||
//
|
||
// If the frame could not be unwound or is terminal, see if
|
||
// there is a callback frame:
|
||
//
|
||
|
||
if (g.AppVersion.Revision >= 4 && CALLBACK_STACK(StackFrame)) {
|
||
DWORD64 ImageBase;
|
||
|
||
if (CALLBACK_STACK(StackFrame) & 0x80000000) {
|
||
|
||
//
|
||
// it is the pointer to the stack frame that we want
|
||
//
|
||
|
||
StackAddress = CALLBACK_STACK(StackFrame);
|
||
|
||
} else {
|
||
|
||
//
|
||
// if it is a positive integer, it is the offset to
|
||
// the address in the thread.
|
||
// Look up the pointer:
|
||
//
|
||
|
||
Succ = ReadMemory(Process,
|
||
(CALLBACK_THREAD(StackFrame) +
|
||
CALLBACK_STACK(StackFrame)),
|
||
&StackAddress,
|
||
sizeof(StackAddress),
|
||
&Done);
|
||
if (!Succ || Done != sizeof(StackAddress) ||
|
||
StackAddress == 0) {
|
||
StackAddress = (DWORD64)-1;
|
||
CALLBACK_STACK(StackFrame) = (DWORD)-1;
|
||
}
|
||
}
|
||
|
||
if ((StackAddress == (DWORD64)-1) ||
|
||
(!(FunctionEntry = (_PIMAGE_RUNTIME_FUNCTION_ENTRY)
|
||
FunctionTableAccess(Process, CALLBACK_FUNC(StackFrame))) ||
|
||
!(ImageBase = GetModuleBase(Process,
|
||
CALLBACK_FUNC(StackFrame))))) {
|
||
|
||
Succ = FALSE;
|
||
|
||
} else {
|
||
|
||
if (!ReadMemory(Process,
|
||
(StackAddress + CALLBACK_NEXT(StackFrame)),
|
||
&CALLBACK_STACK(StackFrame),
|
||
sizeof(DWORD64),
|
||
&Done) ||
|
||
Done != sizeof(DWORD64)) {
|
||
Succ = FALSE;
|
||
} else {
|
||
StackFrame->AddrPC.Offset =
|
||
ImageBase + FunctionEntry->BeginAddress;
|
||
StackFrame->AddrStack.Offset = StackAddress;
|
||
Context->Rsp = StackAddress;
|
||
|
||
Succ = TRUE;
|
||
}
|
||
}
|
||
}
|
||
}
|
||
|
||
if (Succ) {
|
||
AMD64_CONTEXT ContextSave;
|
||
ULONG64 StackOffset = 0;
|
||
ULONG64 FrameOffset = 0;
|
||
|
||
//
|
||
// Get the return address.
|
||
//
|
||
ContextSave = *Context;
|
||
StackFrame->AddrReturn.Offset = StackFrame->AddrPC.Offset;
|
||
|
||
if (!UnwindStackFrameAmd64( Process,
|
||
&StackFrame->AddrReturn.Offset,
|
||
&StackOffset,
|
||
&FrameOffset,
|
||
&ContextSave,
|
||
ReadMemory,
|
||
FunctionTableAccess,
|
||
GetModuleBase)) {
|
||
StackFrame->AddrReturn.Offset = 0;
|
||
}
|
||
|
||
StackFrame->AddrFrame.Offset = FrameOffset;
|
||
ReadFrameArgsAmd64(&StackFrame->AddrFrame, Process, ReadMemory,
|
||
StackFrame->Params);
|
||
}
|
||
|
||
return Succ;
|
||
}
|